• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. API Reference (OBS)
  4. OBS REST APIs
  5. Authenticating a Request
  6. V2 Temporarily Authorized Request

V2 Temporarily Authorized Request

Requests for temporarily authorized operations are authenticated using the query-string parameters instead of the authorization header.

In OBS, a registered and activated user can use its account to create a URL that contains authentication information. In addition, any user that obtains the URL can perform the operation specified by the URL.

For example, during temporarily authorized Get Object request, a specific URL is created and any user obtaining this URL can get the specified object before the expired time.

GET /ObjectKey?AWSAccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature HTTP/ 1.1
Host: bucketname.obs.example.com

The required authentication elements are specified as query string parameters detailed in Table 1.

Table 1 Request parameters

Parameter

Description

Remarks

AWSAccessKeyId

Indicates the AK of the permission grantor.

Type: String

Mandatory

Expires

Indicates the time (expressed in seconds) when the temporarily authorized URL expires. The time must be in Coordinated Universal Time (UTC) format and later than 00:00:00 on January 1, 1970.

Type: String

Mandatory

Signature

Indicates the signature generated using the SK and parameter Expires.

Type: String

Mandatory

The query-string authentication differs from the authorization header authentication in the following aspects:

  • The signature is both Base64 and URL encoded.
  • Expires in StringToSign corresponds to Date in authorization information.
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expire + "\n" + CanonicalizedOBSHeaders + CanonicalizedResource.

 Signature = URL-Encode(Base64( HMAC-SHA1( UTF-8-Encoding-Of(YourSecretAccessKeyID, StringToSign ) ) )).